Message content protection and conditional disclosure

ABSTRACT

Methods and systems are provided for controlling the disclosure of sensitive information. Disclosure is controlled in the sense that (a) the information is not disclosed until predefined conditions are met, such as the passage of a certain time without an authorized update request for secrecy, (b) copies of the information are protected by encryption and by widespread, unpredictable storage, so that at least one copy will be available when disclosure is required, (c) the information is kept secret until disclosure is required, and (d) when disclosure is required, the information is sent to predefined destinations such as email addresses or posted to web sites, in a predefined format.

RELATED APPLICATIONS

The present application claims the benefit of commonly owned copendingU.S. patent application Ser. No. 60/078,175 filed Mar. 16, 1998, whichis incorporated herein by this reference.

FIELD OF THE INVENTION

The present invention relates to the use of computer networks to bothprotect message contents by keeping them secret until a specifiedcondition occurs and to disclose the message contents in a specifiedmanner if the condition occurs. More particularly, the invention relatesto information escrow using computer networks, encryption, replication,network traversal, and other tools and techniques.

TECHNICAL BACKGROUND OF THE INVENTION

It is sometimes very important to keep certain information secret unlessa particular person dies or becomes otherwise incapacitated, in whichcase the information should be disclosed in a specified way. Moregenerally, it would often be useful to keep information secret untilcertain conditions occur, and to then disclose the information in aparticular way.

Many situations illustrate the need for carefully controlled disclosureof sensitive information. For example, consider wills and otherstatements made in contemplation of one's death. The contents of a willare often kept secret from most of the people identified in the willuntil the person who made the will dies. Then, and only then, is thewill disclosed to the people and the institutions who are (or are not)beneficiaries under the will.

As another example, consider information discovered by a potentialwhistle-blower or other witness to some wrongful act or plot. If thewrongdoing is not promptly reported to the proper authorities, awrongdoer may believe that all of the incriminating evidence can bedestroyed, and may attempt to do so, regardless of the harm inflicted onwitnesses and others, including innocent bystanders. Evidence issometimes lost because a witness is reluctant to tell others because theevidence would implicate the witness in lesser but nonetheless seriousviolations, because the evidence raises questions but is not conclusiveevidence of a crime, or because the witness does not wish to placeanyone else at risk. Thus, it would be helpful to provide a reliable wayfor a witness to preserve a description of events (and possibly otherinformation as well), without directly involving another person untildisclosure of the information becomes necessary.

Less dramatic but nonetheless important situations calling for carefullycontrolled disclosure also arise in other contexts. For instance, asoftware company which licenses only object code versions of itsproprietary software may agree to make the corresponding source codeversions available to a licensee if the software company goes bankruptor discontinues support, or if some other stated condition occurs. Thesource code should be disclosed, but it should be disclosed only to thelicensee and only when the stated conditions occur.

As another example, consider the address databases that correlate domainnames with IP addresses on the web, password databases, digitalcertificate databases, marketing databases that correlate emailaddresses with names and other demographic information, bank accountdatabases, and the many other databases that support electroniccommerce. An illicit copy of such a database could be put to manyunauthorized purposes, so backup copies should be stored securely. Onthe other hand, authorized system personnel should have ready access toa copy if necessary to restore operation of the system.

Accordingly, mirroring servers, compressed archives, and other backuptools and techniques are used to create frequent backups and to dispersethem geographically to reduce the risk of losing the data. Physicalsecurity methods ranging from locked doors to dismounted magnetic tapesto watchdogs are also used, to make sure the backup is available only toauthorized system administrators.

More generally, current approaches to controlled disclosure of sensitiveinformation often involve asking someone to act as a guardian of theinformation. The guardian role may be filled by a coworker, friend,relative, spouse, attorney, journalist, escrow agent, or other person.The guardian is asked to receive the information, to hold it in strictsecrecy until some stated condition occurs (typically death, bankruptcy,data loss, or other incapacitation), and to then disclose theinformation to one or more persons who have previously been identifiedor described by the person who places the information in the guardian'scare.

Unfortunately, present guardianship approaches are vulnerable to naturaldisasters, wars, terrorist attacks, or even more mundane problems suchas record-keeping errors or satellite failures. Such events may destroyall copies of the information. They may also make the copies difficultor impossible to locate, or result in premature or misdirecteddisclosure of the information.

Guardianship may also fail in other ways. Even if a guardian has thebest of intentions, the guardian's copy of the information may be lostor destroyed despite the guardian's efforts. If the information issufficiently valuable and is perceived to be vulnerable, then theguardian may be the target of extreme efforts, either to preventdisclosure of the information or to obtain unauthorized access to theinformation. Moreover, approaches which rely on professional escrowagents or attorneys as guardians tend to be relatively expensive,inconvenient, or both.

Modern computer technology provides many tools for managing information,so it is reasonable to ask whether some form of automation might helpguardians. However, the diversity of techniques and devices availablemakes it difficult to determine which tools and techniques are relevantto the problem at hand. To give but a few examples of the availabletechnologies: user interfaces make it easier to control software andhardware; hardware advances make it possible to create ever more complexand adaptable systems; networks (both wired and wireless) connectcomputers at different locations with different levels of security;platform-independent libraries and languages help make functionallycompatible software available throughout a network; visualization toolshelp present information to viewers in meaningful ways; databasesorganize information in a way that promotes analysis of the informationand provides access to the information; web crawlers create indexeswhich help locate information; artificial intelligence techniques helpprocess information; identification, authentication, and encryptionmethods help keep information secret from unauthorized viewers and/ordetect tampering; fault-tolerant systems, replication methods, andarchival techniques each provide some assurance that another copy ofcritical data will be available if a given server or link goes down;programming languages and other development tools encourageexperimentation and rapid development of prototype computer systems; andtools and economic incentives promote the commercialization and adoptionof new computer software and hardware products. The difficulty lies indetermining which techniques are useful for controlling disclosure, andhow to adapt or combine them for such use.

In short, it would be an advancement to provide an approach which drawson relevant computer technology tools and techniques and combines ordevelops them in new ways to improve control over the disclosure ofsensitive information.

Such an approach is disclosed and claimed herein.

BRIEF SUMMARY OF THE INVENTION

The present invention relates to methods, articles, signals, and systemsfor controlling the disclosure of sensitive information. Because theinvention could be used in so many different situations, information isconsidered “sensitive” if an information provider chooses to use theinvention to control its disclosure. The invention hides copies ofsensitive information in networks to prevent destruction of every copy,and discloses the information in a specified way if specified conditionsoccur. Metaphorically, the invention provides a “hidden choir” whichwill sing when desired and otherwise remain silently ready in thebackground.

In some embodiments, the invention is implemented with computer softwarewhich runs on standard computer hardware. In other embodiments, theinvention takes advantage of special-purpose hardware such as biometricscanners. But in each case, the invention helps control the disclosureof sensitive information provided by users, and it does so in a way thatgoes beyond merely denying access to unauthorized users.

Disclosure is controlled in the sense that (a) the information is notdisclosed until specified conditions are met, (b) copies of theinformation are protected so that at least one copy is likely to beavailable when disclosure is required, (c) the information is keptsecret until disclosure is required, and (d) when disclosure isrequired, the information is disclosed by being sent to specifieddestinations. Authorized deletion of the information copies may also becontrolled.

While awaiting a disclosure trigger and/or a deletion trigger (either orboth of which may never occur in some cases), the information isprotected against inadvertent or premature disclosure. Protection isprovided by encryption, by dividing the information between messagesstored at different locations, and/or by omitting clues that wouldreveal the full import of the stored information.

For instance, the invention may be used to control disclosure such that(a) sensitive information is not disclosed until the incapacitation ordeath of the information's source is noted in two separate publicsources, (b) thousands of copies of the information are spread in anapparently unpredictable and unrecorded manner throughout a globalcomputer network so that even if many copies are lost or destroyed, atleast one copy will probably still be available when disclosure isrequired, (c) each copy is encrypted so the information remains secretuntil disclosure is required, and (d) when disclosure is required, atleast one copy of the information is sent within a predetermined timeperiod to each predefined destination, such as an email address or a website, either in a plain text format or encrypted with a public keycorresponding to the destination.

In particular, suppose Pat Elder wants to control disclosure of a lastwill and testament. Using software according to one embodiment of theinvention, Pat can create dozens or hundreds of encrypted copies of thewill in hidden locations around the world, so that many copies wouldsurvive an earthquake or flood that destroys Pat's hometown (includingPat's home, Pat's bank, and Pat's attorney's office). After consultingan attorney, Pat decides that copies of the will should be emailed toeach of Pat's children, to Pat's attorney, and to the local courthouseif Pat does not respond within one week to a regular monthly inquiryfrom the invention. A response will not be accepted by the invention asauthentic unless it includes information that (a) identifies Pat as itssource, and (b) ensures that a copy of an earlier response from Pat isnot being submitted by someone else in an attempt to trick the system.As part of the controlled disclosure, each copy of the last will andtestament will be signed using Pat's public key; the copy emailed to thecourthouse will be in plain text (decrypted), and each of the othercopies will be encrypted using the recipient's public key.

The invention may also be used to escrow source code, legal documents,and other confidential or proprietary information. Accordingly,disclosure may be conditioned on bankruptcy filings, stock prices, newswire stories, and a wide range of other publicly available information.Sources being monitored to determine whether disclosure condition existsmay be widely available, such as public media, or they may be specificweb sites or news groups.

Conditions and constraints may also be placed on deletion of theescrowed information. For instance, in some embodiments users whoprovide sensitive information to the system cannot retract it later,even if they establish themselves as the information providers. In someembodiments, sensitive information is automatically deleted if it hasnot been disclosed after a certain period of time; in some it is deletedif some other deletion condition occurs. Combinations of disclosure anddeletion conditions are also possible. Other features and advantages ofthe present invention will become more fully apparent through thefollowing description.

BRIEF DESCRIPTION OF THE DRAWINGS

To illustrate the manner in which the advantages and features of theinvention are obtained, a more particular description of the inventionwill be given with reference to the attached drawings. These drawingsonly illustrate selected aspects of the invention and thus do not limitthe invention's scope. In the drawings:

FIG. 1 is a diagram illustrating one of many networks suitable for useaccording to the present invention.

FIG. 2 is an introductory flowchart illustrating methods of the presentinvention.

FIG. 3 is a flowchart illustrating a message accepting step of theinvention.

FIG. 4 is a diagram illustrating a message format according to theinvention.

FIG. 5 is a diagram illustrating another message format of theinvention.

FIG. 6 is a flowchart illustrating methods of the invention forcontrolling information disclosure using roving messages.

FIG. 7 is a flowchart illustrating methods of the invention forcontrolling information disclosure using roving messages and messageupdates.

FIG. 8 is a flowchart illustrating methods of the invention forcontrolling information disclosure using poised messages.

FIG. 9 is a flowchart illustrating methods of the invention forcontrolling information disclosure using poised messages and messageupdates.

FIG. 10 is a diagram illustrating a message update format according tothe invention.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

In describing methods, devices, signals, and systems according to theinvention, the meaning of several important terms is clarified; theclaims must be read with careful attention to these clarifications.Specific examples are given to illustrate aspects of the invention, butthose of skill in the relevant art(s) will understand that otherexamples may also fall within the meaning of the terms used, and hencewithin the scope of one or more claims. Important terms are defined,either explicitly or implicitly, both here in the specification andelsewhere in the application file.

Computer Network

FIG. 1 illustrates a network 100 which is one of the many computernetworks suitable for use according to the invention. Suitable networksinclude one or more local area networks, wide area networks,metropolitan area networks, and/or “Internet” or IP networks such as theWorld Wide Web, a private Internet, a secure Internet, a value-addednetwork, a virtual private network, an extranet, an intranet, or evenstandalone machines which communicate with other machines by physicaltransport of media (a so-called “sneakernet”). In particular, a suitablenetwork may be formed from parts or entireties of two or more othernetworks, including networks using disparate hardware and networkcommunication technologies.

In many cases, a geographically dispersed network, up to and including aglobal computer network such as the Internet which includes nodes ondifferent continents, is preferred because additional storage locationsand physical separation of storage locations and variations in theirsurroundings (electronic and managerial) enhance the survival prospectsfor a given piece of information that is spread through the networkaccording to the invention. “Geographically dispersed” means the networkincludes two nodes which are at least ten miles apart. However, morelocalized networks like the network 100 may also be used.

The network 100 includes a server 102 and several clients 104; othersuitable networks may contain other combinations of servers, clients,and/or peer-to-peer nodes, and a given computer may function both as aclient and as a server. Each network includes at least two computerssuch as the server 102 and/or clients 104. A computer may be aworkstation, laptop computer, disconnectable mobile computer, server,mainframe, cluster, so-called “network computer” or “thin client”,personal digital assistant or other hand-held computing device, “smart”consumer electronics device or appliance, or a combination thereof.

Each computer includes at least a processor and a memory; computers mayalso include input devices and/or output devices. The processor mayinclude a general purpose device such as a 80×86, Pentium (mark ofIntel), 680×0, or other “off-the-shelf” microprocessor. The processormay include a special purpose processing device such as an ASIC, PAL,PLA, PLD, or other customized or programmable device. The memory mayinclude static RAM, dynamic RAM, flash memory, ROM, CD-ROM, disk, tape,magnetic, optical, or other computer storage medium. The input devicemay include a keyboard, mouse, touch screen, light pen, tablet,microphone, sensor, or other hardware with accompanying firmware and/orsoftware. The output device may include a monitor or other display,printer, speech or text synthesizer, switch, signal line, or otherhardware with accompanying firmware and/or software.

The network may include communications or networking software such asthe software available from Novell, Microsoft, Artisoft, and othervendors, and may operate using TCP/IP, SPX, IPX, and other protocolsover twisted pair, coaxial, or optical fiber cables, telephone lines,satellites, microwave relays, modulated AC power lines, physical mediatransfer, and/or other data transmission “wires” 108 known to those ofskill in the art. The network may encompass smaller networks and/or beconnectable to other networks through a gateway or similar mechanism.

As suggested by FIG. 1, at least one of the computers is capable ofusing a floppy drive, tape drive, optical drive, magneto-optical drive,or other means to read a storage medium 106. A suitable storage medium106 includes a magnetic, optical, or other computer-readable storagedevice having a specific physical configuration. Suitable storagedevices include floppy disks, hard disks, tape, CD-ROMs, PROMs, randomaccess memory, flash memory, and other computer system storage devices.The physical configuration represents data and instructions which causethe computer system to operate in a specific and predefined manner asdescribed herein. Thus, the medium 106 tangibly embodies a program,functions, and/or instructions that are executable by computer(s) tohelp control the disclosure of sensitive information substantially asdescribed herein. Likewise, the “wires” 108 and other data carriers mayembody signals for controlling the disclosure of sensitive informationsubstantially as described herein.

Suitable software to assist in implementing the invention is readilyprovided by those of skill in the pertinent art(s) using the teachingspresented here and programming languages and tools such as Java, Pascal,C++, C, database languages, APIs, SDKs, assembly, firmware, microcode,and/or other languages and tools. Suitable signal formats may beembodied in analog or digital form, with or without error detectionand/or correction bits, packet headers, port IDs, socket IDS, networkaddresses in a specific format, and/or other supporting data readilyprovided by those of skill in the pertinent art(s).

Methods Generally

FIG. 2 illustrates generally several methods of the present invention;other methods are illustrated elsewhere. Because the invention providesseveral steps which can be combined in various ways, FIG. 2 and theother Figures are illustrative only.

As shown, the methods include steps 200 and 202 for entering sensitiveinformation into a computer network such as the network 100 and steps204 and 206 for disclosing the information in a desired way if certainconditions are detected. Some methods also include “deadman switch”steps 208 and 210 for ensuring that the information is disclosed when anexpected update from the information provider (or another authenticateduser designated by the information provider) is not received on time.

More precisely, during a message accepting step 200, a piece of “hiddenchoir” software running on the network accepts from a user sensitiveinformation which should be stored in one or more networks for possiblelater disclosure and/or deletion under specified conditions. Thesensitive information may be in plain text form, or the user may haveencrypted and/or compressed it. The sensitive information may includetext, images, sounds, and/or any other information that can be storedand transmitted in digital form.

The user may be a “regular” user, or a user who logs in only to use theinventive software, or a system administrator, for instance. A user maybe a person, or a user may be a software task, thread, agent, or othercomputer process acting legitimately on behalf of a person or on behalfof a group of people. A “person” may be an individual, a corporation, alimited liability company, a partnership, a university, a governmentagency, or another institutional entity.

In addition to providing the sensitive information, the user eitherprovides or ratifies instructions for the possible disclosure and/ordeletion of that information. Ratification occurs when the useracquiesces in disclosure and/or deletion instructions which are providedby the system as default parameters, hard-coded methods, or otherwise.Disclosure and deletion is merely “possible” because in particular casesthe conditions that would trigger such actions might never occur.

In short, the message accepting step 200 gathers the sensitiveinformation, the disclosure and/or deletion conditions, and providesthem to a message storing step 202. The message accepting step 200 andmessage components are described further in connection with FIGS. 3through 5.

During the message storing step 202, the invention hides copies of thesensitive information in the network 100 by creating copies of themessage and transmitting them in various guises to various locations inthe network 100. In some cases, an information provider may know thelocation of at least some of the copies, but in general the informationprovider does not know in detail how and where the message copies arestored; in embodiments which allow the information provider to deletestored copies, the system locates the copies. The number of copies mademay vary, even by several orders of magnitude, with at least 10 or atleast 100 or at least 1000 made in various cases. The number of copiesmade is not necessarily revealed to the information provider.

In some embodiments, a relatively small number of locations (compared tothe number of network nodes) is used. In others, the step 202 putscopies of encrypted message content in most or all available locationsin the network (or portion of net). In either case, a given node maycontain more than one copy of a given message, with different copiesstored under different names and in different disguises.

The ultimate number of message copies and the path taken by each copy isdetermined dynamically. The path taken by a given copy may cover a fewnetwork nodes or many network nodes, and it may be determined randomlyand/or using information which authenticates the information provider.In some embodiments, one or more message copies keep traveling eitheruntil they are destroyed or until message disclosure or deletion istriggered. Message storing steps are described further in connectionwith FIG. 6 and elsewhere.

During a testing step 204, a portion of the invention checks storedmessages to determine if they should be disclosed. This may beimplemented in various ways. One or more searching message update agentsmay travel specified regions of the network in an exhaustive pathlooking for message copies and checking any message copies encountered;searching updates are not directed at a specific message copy. Updateagents or update instructions directed at specific message copies mayalso be sent out along paths previously followed (at least ultimately)by those message copies, using methods similar to those employed invarious embodiments of the storing step 202. The messages themselves mayalso include code which monitors conditions to determine if disclosureor deletion is appropriate, independently of any updates.

Regardless of the manner in which disclosure is triggered, if it istriggered then during a disclosing step 206 some or all of the messagecontents are sent to their destination(s) in formats which may bepredefined by the user or provided as current defaults by the system.The disclosed contents may be limited to some or all of the sensitiveinformation, or the disclosure may include additional components such asone or more of the message components discussed below in connection withFIGS. 4 and 5. The testing and disclosing steps are described in furtherdetail in connection with FIGS. 3 through 5 and elsewhere.

During an optional update accepting step 208, the illustrated embodimentaccepts and authenticates updates for messages. In some cases the updateaffirms that the information provider does not want the system todisclose any part of a given message yet, making the update analogous tothe “deadman switch” used in a railroad or subway engine; as long as theengineer periodically pushes the deadman switch, the train keepsrunning. If the engineer has a heart attack and the switch is not pushedfor some time, the train is automatically brought to a halt. Messagesmay similarly be configured to be disclosed if the information providerdoes not regularly submit an authentic update. In other cases, a messageupdate triggers disclosure rather than preventing it. In some cases amessage update triggers deletion of message copies. The update acceptingstep 208 and an update format are described in further detail inconnection with FIG. 10 and elsewhere.

During an update storing step 210, the software and/or hardware createsand stores copies of the update. In some embodiments, the inventiontransmits updates to the same locations in the network as the storedmessage copies, or at least sends the updates along the paths taken bythe message copies. In other cases, the updates search the networklooking for message copies. As with the message storing step 202,precautions are taken to prevent shadowing or unauthorized use oftransmitted items. The update storing step is described in furtherdetail in connection with FIG. 10 and elsewhere.

Message Acceptance

During message acceptance, a user entrusts sensitive information to theinventive software and/or hardware for disclosure under specifiedconditions. The user is referred to here as the “information provider”with the understanding that in many embodiments the user also expresslyprovides other message content as well, such as disclosure and deletionconditions. FIG. 3 further illustrates various embodiments of themessage accepting step 200. As with other method steps, details ofcorresponding system, signal, and device components will be understoodby those of skill in the art in view of this discussion and other partsof the present specification. For instance, those of skill will readilyapply descriptions of a given method step to the construction and use ofcorresponding systems and articles that perform the step and ofcorresponding signals that embody results used by and/or produced by thestep.

During an optional provider authenticating step 300, the system obtainsinformation identifying the information provider and attempts toauthenticate the identification. The information provider may beidentified and/or authenticated using familiar tools and techniques. Forinstance, the information provider may be identified by a login name andauthenticated by a password. A “password” includes one or moreindividual pass words, pass phrases, biometric scan results (e.g.retinal scan, fingerprint, voiceprint), other identification methodresults, symmetric key or other cryptographic or digital signature keys,secret email or other identifying codes, GUID, and/or any other data ordevices used to protect or control access to an account or anotherresource in the system 100.

The authenticating step 300 may be omitted in some circumstances. Forinstance, the software may be configured to make identificationoptional; this might be combined with a requirement that a messagecannot be retracted unless identification is provided. Of course, someembodiments may be configured so that the message cannot be retractedregardless of whether identification is provided. In some embodimentsthe authenticating step 300 can be omitted if the information providerwishes to remain anonymous.

During a disclosure conditioning step 302, the system obtains thedisclosure conditions that determine when (and whether) the sensitiveinformation entrusted to the system will be disclosed. The logic ofdisclosure conditions may be relatively simple, such as “if no updatehas been received from X, Y, or Z in the past six months, then disclosethe information” or “disclose the information only if I send an updatecontaining the word ‘implode’” or “regardless of updates, disclose theinformation if any press release on site W is seen to contain the phrase‘ABC will acquire XYZ’” or even “disclose the information as soon aspossible after Jul. 11, 2060.”

The logic of disclosure conditions may also be more complex, such as“disclose the information if a monthly search indicates that company Areceives a patent or owns a published patent application having keyphrases X, Y, or Z in the abstract or claims, or if the search indicatesthat any company has received a patent or owns a published patentapplication in classes K or L which lists M as an inventor.” This latterexample could be used to control disclosure of information which ismeant to be kept as a trade secret unless circumstances suggest it mightbe more useful as prior art.

In either case, the underlying tools for determining whether adisclosure condition has occurred may be very simple or they may bequite sophisticated. By way of example only, powerful tools andtechniques may be used (a) to analyze natural language in news accountsand other electronic postings for statements describing events such asthe acquisition of a company or the death of an individual; (b) to makedeterminations of financial market health or political stability basedon news reports, market prices, and other factors; and (c) to detectspurious updates. Suitable tools and techniques are familiar to those ofskill in the arts, and no doubt additional improvements will be made insuch tools and techniques, further enhancing the power and convenienceof systems according to the invention.

During a disclosure destination targeting step 304, the softwaredetermines, at least by category and perhaps by specific address, thedisclosure destinations that will receive a copy of the information oncea disclosure condition occurs. Disclosure destinations may be specifiedby the information provider and/or by the system in a wide variety ofways. They may take the form of email addresses, web page addresses,and/or regions. Web page addresses may be listed as textual universalresource locators or as textual or binary hard-coded network addresses.When web pages are used as destinations, the information provider and/orthe system may indicate that existing web pages should be modified todisclose the information and/or indicate that new web pages containingthe information should be generated and placed at the specifiedaddresses.

In the case of regions, email addresses and/or web page addresses in theregion may be obtained automatically at the time of disclosure by thesystem or they may be provided earlier by the user. Blanket disclosureto a region may be specified by requesting all available locations inthe region, by requesting some percentage of all available locations, orby requesting some minimum number of locations to which the informationwill be sent. Regions may vary in size, from “Corporation XYZ” to“newsgroup A.B.C” to “USA” to “everywhere possible”. If multipledestinations are specified, by specifying a region or otherwise, thenthe disclosing copies may be sent in groups spaced out over time, orthey may all be sent as nearly simultaneously as is technologicallypossible.

In some embodiments, a formatting step 306 allows users to determineformats to be used in disclosing the information. In other cases, theformats used are selected during an embodiment of the step 306 which isperformed by the system without interactively requesting the user'spreferences. For instance, in one embodiment all disclosures are inplain text (ASCII) format sent as email generated by the system.Possible formats include plaintext, digitally signed, encrypted, XML orHTML, and other formats for electronic documents. Format specificationmay include the text to be placed in an email subject line in emailmessages generated by the disclosing step 206.

Web pages may also be generated, partially or entirely, during thedisclosing step 206. If web pages are among the destinations, thenformat specification may include a request that web links to thedisclosing page be created and sent out in email messages and/or thatthe web links be embedded in identified existing pages. In someembodiments, formats are a function of the destinations. For instance,in one embodiment, email addresses receive plain ASCII text, http:// URLdestinations receive HTML, and FTP sites receive plain text and HTML.

During an optional deletion conditioning step 308, the software obtainsthe deletion conditions that determine when (and whether) the sensitiveinformation entrusted to the system will be deleted without anunauthorized intervention. Some deletion conditions may be implicit inan embodiment, such as deletion of messages after they have beendisclosed and the disclosure has been adequately acknowledged. Otherdeletion conditions may be explicitly stated by the informationprovider. The logic of deletion conditions, like the logic of disclosureconditions, may vary in complexity. The same tools and techniques usedto detect disclosure conditions may be used to detect deletionconditions.

During a sensitive content obtaining step 310, the software obtains thesensitive information which is to be disclosed if, and only if, thedisclosure conditions occur. The sensitive information may be providedto the system in plaintext form or in encrypted form. In particular,information disclosed by the system in response to a disclosurecondition may be encrypted. For instance, a user could provide severalother parties with decryption keys which are useful only in the event ofdisclosure by the system.

Regardless of whether the sensitive information is already encrypted,the system may encrypt (or re-encrypt) the information during anoptional encrypting step 312. The disclosure conditions, formats, and/ordestinations may also be encrypted. Encryption tools and techniques arewell-known in the art, and any suitable ones may be used, includingwithout limitation public key-private key encryption, symmetricencryption, and/or encryptions described in Schneier, AppliedCryptography and other references.

The encrypted information may also be digitally signed during a signingstep 314 using familiar techniques and tools, including those describedin Schneier, Applied Cryptography and other references. Checksums orcyclic redundancy codes may also be used as a form of weak but easilygenerated digital signature. In addition, the information may becompressed before or after encryption and/or signing; compression isperformed during a compressing step 316 by using familiar techniques andtools.

Those of skill in the art will recognize that encryption, digitalsigning, and compression can be performed on part or all of a givenmessage, on several portions of a given message, in various nestedmanners, with different keys, and in other combinations. Those of skillwill readily identify and implement approaches that protect the secrecyand integrity of the sensitive information and the disclosure conditionsand destinations specified in messages according to the invention.

In particular, digital signatures may be used in place of encryption ifthe information provider wishes to make the information and/orconditions and/or destinations visible while still preventing tamperingand still controlling disclosure of the full implications of theinformation. Sometimes the mere fact that information is encrypted willdraw unwanted attempts to decrypt or delete the information. Bycontrast, an apparently innocuous plaintext message may avoid beingtargeted.

The general lack of interest in plaintext is useful if the full meaningof a plaintext message becomes apparent only when one has additionalinformation not found in the message itself. For instance, a messagecontaining nothing but three columns of numbers has little apparentmeaning. The message becomes more interesting if one learns from someother source that each number in the first column identifies a contractwhile the second and third numbers represent the low bid and theaccepted bid, and it becomes very interesting indeed if a review of thecircumstances involved raises a question as to why low bids weresometimes rejected.

Example Accepted Message Formats

FIGS. 4 and 5 illustrate some of the many possible formats for messages400 which are produced by the message accepting step 200. In FIG. 4, themessage 400 includes a digital signature 402 which is based on otherseveral components of the message 400. The components on which thedigital signature 402 is based define a scope 404 for the signature 402.The digital signature 402 reflects the content of the components in thescope 404 of the signature in order to detect tampering with, or removalof, such content.

In the illustrated embodiment, the scope 404 of the signature 402includes encrypted sensitive information 406, disclosure conditions 408,destinations, 410, and deletion conditions 412. The information 406 mayhave been submitted during step 310 in encrypted form, and/or it mayhave been encrypted by the inventive system during step 312. Thedisclosure conditions 408 were specified during step 302; thedestinations 410 were specified during step 304, and the deletionconditions 412 were specified during step 308.

Each of the disclosure conditions 408, destinations 410, and deletionconditions 412 may or may not be encrypted, depending on the embodiment.For instance, it may be useful to encrypt the sensitive information 406but leave some or all of the conditions 408, 412 and destinations 410visible and send a notice to an interested third party with a copy ofthe message 400 after the message has been stored by the inventivesystem. The message 400 illustrated in FIG. 4 includes no explicitformat instructions but instead contemplates that format(s) for thedisclosure are provided by the software during the format determiningstep 306 and/or the disclosing step 206.

FIG. 5 illustrates another message 400 produced by the message acceptingstep 200. In this case, the message 400 includes traveling program codeand/or data 500 which enables the message 400 to move autonomously fromone network node 102 and/or 104 to another. Traveling messages 400 maybe constructed using tools and techniques employed in designing andimplementing agents, web crawlers, robots, and other familiar travelingprograms. Instead of using traveling code 500, or in addition to it,message 400 copies may also move from one node to another by othermeans, such as conventional connections or sockets or links for sendingand/or receiving files, servlets, applets, video, audio, email, or otherdata in the network 100.

In addition to traveling program code 500, messages 400 may include codefor taking certain actions or making certain determinations discussedherein. Functionality to take such actions and/or make suchdeterminations may also be embedded in software that is located on, oris in communication with, the node on which the message 400 in questionis located. For convenience, when this description states that a message400 does something, it should therefore be understand that the codebeing executed may be stored in the message 400 in some embodiments andoutside the message 400 in others.

The message 400 in FIG. 5 also includes several components which havebeen encrypted by the software and thus lie within a system encryptionscope 502. These components include two pieces of user-encryptedsensitive information 504, 506; disclosure conditions 508 for each pieceof information 504, 506; destinations and formats 510 for theinformation 504, 506; and an identification 512 of the informationprovider.

FIG. 5's message 400 illustrates the fact that in some embodiments amessage 400 guarded by the system may contain multiple pieces ofsensitive information with correspondingly flexible disclosureconditions and destinations. For instance, different pieces of sensitiveinformation might be sent to different people if disclosure istriggered, or the information pieces might be released in stages to thesame person, with each stage having its own disclosure condition(s) suchas the passage of time or the public posting of certain text at aparticular site.

Those of skill will appreciate that many other message formats than theones shown in FIGS. 4 and 5 are possible with the invention. Inparticular, the illustrated components may be combined in other ways.For instance, additional digital signatures may be used, each stage of astaged disclosure may be signed, deletion conditions may be encrypted,selected components or the message as a whole may be compressed,information provider keys or credentials or otheridentification/authentication components may be included or omitted,creation timestamps and locations may be included or omitted, andmultiple message 400 formats (as well as multiple message copies in agiven format 400) may include the same sensitive information.

Message Storage Generally

During message storage, the system stores copies of the acceptedmessage(s). Message storage according to the present invention takes adifferent approach than conventional escrow methods. A conventionalescrow system stores items from many different sources in a singlesecure vault, or at most a small number of such vaults. A conventionalescrow service typically has a single vault in a given region orcountry, and it relies on strong physical security measures such assteel safes, human guards, and the like. Conventional escrow servicesalso place great weight on control over physical conditions such astemperature and humidity. Moreover, access to stored items, anddisclosure of stored items, is through the human escrow agent. Multipleinstances of an item are not necessarily stored, because of limitedspace considerations and consequently higher costs. There are otherdifferences as well.

By contrast, a system according to the invention may benefit fromphysical security measures, but it does not rely on them as theprincipal means for ensuring survival of stored information. Instead,the invention takes advantage of the size and scope of networks,particularly global networks such as the Internet or large corporatenetworks having many nodes dispersed over a variety of platforms andlocations. The invention stores copies of sensitive information on manynodes, in locations which are difficult or impossible to determinewithout authorization (and in some embodiments, even with authorizationfrom the information provider). Thus, even a determined attack isunlikely to locate and destroy all copies. Disclosure may also be fullyautomated.

Moreover, in some embodiments a given message 400 contains informationfrom more than one source, and users are informed of this. Thus, anattacker who deletes a copy of a message 400 does not necessarily knowthe identity of all information providers being attacked. This forcesthe attacker to risk the wrath of unknown parties. In one variation,individuals or small businesses can purchase space in messages 400 frommore powerful entities, so their information 406, 504, 506 isinterleaved with that of the more powerful entity. The powerful entitymay or may not view the information it stores in this interleaved manneras particularly important in and of itself; the powerful entity maysimply be lending its strength and reputation—at a price—to helpdiscourage tampering with the information of others.

Message storage according to the invention may be accomplished invarious ways. Two general approaches in the form of “roving messages”and “poised messages” are described below, but other approaches whichprovide controlled disclosure by utilizing a network for informationescrow according to the teachings herein also fall within the scope ofthe claimed invention.

Roving Message Storage

FIGS. 6 and 7 illustrate methods employing a “roving message” approachto the message storing step 202. Roving messages may be implemented withtraveling program code and/or data 500, or without it; the term “roving”is used in contrast with the term “poised” discussed later. Briefly,roving messages are implemented by making message 400 copies travel fromnode to node indefinitely until disclosure or deletion. Poised messages,on the other hand, may initially traverse one or several nodes, but doso in order to reach a specific destination and, once there, stay putuntil disclosure or deletion.

In order to better illustrate the update steps 208, 210, assume thatembodiments according to FIG. 7 use disclosure conditions and/ordeletion conditions which depend on at least one update, whileembodiments according to FIG. 6 do not. In practice, a given inventivesystem may employ approaches shown in either or both Figures.

A roving message storage step 600, which is one type of message storingstep 202, starts by obtaining the address of a next target location.This may be accomplished by an address generating step 602, an addressselecting step 604, or a combination of the two steps. An address may bein the form of an IP address, Ethernet address, URL, email address,and/or other network address which identifies a physical or virtualnode, and may include a directory path component and/or a file disguise(e.g., use of *.c, *.cpp naming conventions and/or internal syntax)which further specify how to store a message 400 copy on a given node.FIG. 6 refers to a “next” location, but it will be appreciated that whenthe system first stores a newly accepted message 400, the “next”location is also the first location.

The address generating step 602 works best when valid addresses arerelatively dense in the space of possible system 100 addresses, sincethe step 602 proceeds by generating an address whose syntax is correctbut which does not necessarily correspond to any presently reachablelocation. For instance, if the syntactic range for IP addresses isassumed to be 1.0.0.0 to 239.255.255.255, then the generating step 602could proceed by generating four random numbers, pinning or truncatingthem to the indicated ranges (1..239, 0..255, 0..255, and 0..255), andadjoining them to form an IP address. Alternatively, one large randomnumber could be sliced to form the IP address by using the first eightbits for the first part of the address, the next eight bits for the nextpart, and so on, with appropriate rounding or truncation to fall withinthe required ranges.

Instead of generating an address with the right syntax that may or maynot be valid, the address selecting step 604 selects an address from alist or table of addresses that were, at least at one time, bothsyntactically correct and valid (reachable from the present location).Those of skill in the art will understand how to obtain such addresslists from routers or other sources and how to verify the syntax of agiven address. The table of addresses may vary in size. Tables havingmany entries make messages 400 harder to locate and destroy, but theyalso require more storage space in messages 400 and their correspondingupdates 1000.

Instead of using a random number, or in addition to using one or morerandom numbers, the address could also be generated during step 602 orselected during step 604 by using the identification or authenticationinformation obtained during step 300. For instance, if lack of a timelyupdate can trigger disclosure (as presumed in FIG. 7) then steps 602 and604 provide addresses in a manner that depends on the authenticationinformation provided when the message was stored. That sameauthentication information must be provided with each update. If theauthentication information is provided correctly, then the update canfollow the path of the original message (spawning additional copies justas the original message did), find each copy of the original message,and prevent disclosure. If proper authentication information is notprovided, then at least one copy of the message 400 will not receive anupdate and disclosure will be triggered.

On the other hand, if the disclosure and deletion conditions areindependent of message updates (as presumed in FIG. 6), then steps 602and 604 provide addresses in a random or quasi-random manner. Hashfunctions, random number generators, and other familiar tools may beused. For instance, the address generating step 602 may generate a setof quasi-random numbers in the appropriate ranges and adjoin them toform the next IP address, Ethernet address, or other address; theaddress selecting step 604 may generate a single quasi-random number anduse it to index the table of addresses to select the next address.

To provide addresses in a manner that depends on the authenticationinformation, step 602 may interpret the first N bits of authenticationinformation as an N-bit address. Alternatively, step 602 may interpret Mbits of authentication information as part of a N-bit address (N>M),with the rest of the address chosen in a predetermined manner to improvethe chance of generating a valid reachable address. For instance, in anIP address the leftmost component might be taken to be the same as thecurrent address, while the other components are taken from theauthentication information.

Of course, many variations are possible when mapping authenticationinformation to network addresses during step 602, including manipulatingthe authentication information to reduce or remove long strings ofzeroes and long strings of ones before selecting the N bits, selectingthe N bits from within the authentication information bit-string insteadof from the end, making the next address a function of both theauthentication information and the current address, and so on. Similarconsiderations apply to the use of authentication information as anindex into a table of addresses during step 604. Whatever implementationis used, however, must be reproducible by an authentic update so it canfollow the message copies, and should also be difficult to deduce orreproduce without the authentication information so that unauthorizedupdates are prevented.

During a creation trying step 606, the system tries to create a copy ofthe message 400 at the address provided by step 602 or step 604. Thismay be done by the message itself through traveling code, or bytransmission of a message 400 copy in a file to code residing on thetarget node, or by other data transmission means. If the attempt fails,another address is obtained by repeating step 602 or step 604. Theattempt may fail because the address is not valid, or the address may bevalid but the node at that address may be down or it may refuse incomingmessage copies, for instance. If updates are not involved (FIG. 6), thenadditional addresses may be obtained (steps 602, 604) and tried (step606) until the message 400 is successfully copied during step 606.

A similar loop may be performed when updates are involved (FIG. 7).However, there are additional considerations. Suppose one or moreaddresses were not valid when tried by the message but are valid whentried later by the update(s); node(s) may have been added or one or moreaddress assignments may have changed. Indeed, address syntax may havechanged. Then the updates may follow a path not taken by the messagecopies, and the risk of unwanted behavior arises. The concern alsoarises if a node was down, or was configured to refuse messages 400 (byblocking out traveling programs, for instance) when tested by themessage, but is now back up and will accept the update.

One apparent solution is to simply make the updates 1000 follow everypossible path. However, proliferating so many updates could placeunacceptable burdens on the network 100. Better approaches are possible.For instance, the message 400 may leave a digitally signed (and possiblyencrypted) marker for the update 1000, indicating that the message 400is taking the Kth address from a list of addresses known to the messageand the update. The list of addresses may be carried by the message 400and the update 1000 or the list may be resident at the node, possibly indisguised or encrypted form. Since the update obtains addresses usingthe same algorithms and seeds (authentication information and/or currentaddress, for instance) as the original message, this provides enoughdata for the update 1000 to follow the message 400 without revealing thepath to unauthorized users. Alternatively, the address itself may beprovided, stored on the node in an obscure file in encrypted orfile-disguised form. If a file disguise is used, then the disguisingfile name and/or syntactic format preferably correspond to a file typewhich tends not to be deleted, such as *.exe or *.dll or administrativefiles. For instance, the address could be placed in an otherwise unuseddata block in an executable file that simply prints the current date.

Yet another approach puts a small cap on the number of addresses triedduring the loop through steps 602 to 606. For instance, if a validaddress is not selected in three tries, the message 400 copy stopstraveling. The updates 1000 then propagate, but not as rapidly, becausethey only need to explore the first three addresses at each node; alimit may also be put on the maximum number of hops a message 400 copycan take.

A “hop” for purposes of the present invention is not necessarily apacket-level or data link layer hop. Rather, a hop is a movement ofmessages 400 or updates 1000 between two nodes whose addresses areexpressly known to the message 400 or the update 1000, respectively. Atlower levels of abstraction, the network operating system or othercommunications software in the network 100 may actually send the messageor update as one or more packets to many nodes as part of a single hop.

After the message is copied to another node by step 606, an optionalstep 608 deletes the copy on the current node. If the copy deleting step608 is always performed, then one copy of the message 400 roves aroundthe network. In a variation, the first execution of step 600 stores alarge number of message copies on network nodes, with one or more copyper node, and then each of those copies roves without spawning anyfurther copies. On the other hand, if the copy deleting step 608 isnever performed then copies of a message 400 proliferate rapidly,spreading in an expanding tree from the node that accepted the message400 during step 200. Of course, intermediate approaches are alsopossible, with message 400 copies spawned every X hops or every Yminutes, for instance.

In FIGS. 6 and 7, the system tests disclosure conditions during step 204and discloses the message information during step 206 if one or moredisclosure conditions are satisfied. The system also tests deletionconditions during a step 610 and deletes the message during a step 612if one or deletion conditions are satisfied. Deletion conditions anddisclosure conditions were discussed in connection with FIGS. 3 through5.

Poised Message Storage

FIGS. 8 and 9 illustrate methods employing a “poised message” approachto the message storing step 202. In a manner similar to FIGS. 6 and 7,we presently assume that embodiments according to FIG. 9 use disclosureconditions which depend on at least one message update, whileembodiments according to FIG. 8 do not. In practice, a given inventivesystem may employ either or both approaches. Note that some embodimentswill accept an update 1000 having a designated effective date evenbefore a message 400 to which the update applies is accepted by thesystem. That is, steps 208 and 210 may precede steps 200 and 202 in somecases.

The major difference between poised messages 400 and roving messages 400lies in the nature and frequency of the message storing step 202. Asdiscussed above, roving messages 400 move about the network indefinitelyand may spawn copies of themselves as they go. By contrast, poisedmessages 400 reach their ultimate destination in one hop, or at most avery few initial hops, and then stay at that address while they awaitmessage updates 1000 and/or triggering conditions.

For instance, one of the methods illustrated by FIG. 8 proceeds asfollows: after an initial message acceptance step 200 and messagestorage step 202, the system goes into a loop which tests for disclosureconditions at least once each day during the step 204. If a disclosurecondition is found, the sensitive information is disclosed during step206 and the method terminates.

In a variation, the message checks for deletion conditions after thedisclosure, and terminates with step 612 after a deletion condition isfound. Disclosure may be a deletion condition, or the occurrence of anevent that might be provoked by disclosure could be a deletioncondition. Receipt of an authentic message update 1000 which requestsdeletion could also be a deletion condition.

In another variation, the system goes into a loop which tests in turnfor disclosure conditions and for deletion conditions during steps 204and 610. The system performs the test each time a certain dynamiclibrary module or software component is loaded and initialized forservice. Many other variations are also possible.

One message storing step 200 suitable for storing poised messages usestwo hops for each copy of a given message that is being stored. Allcopies of a given message 400 are sent out concurrently, or nearly so,and the first copy, which is on the message accepting node, is thenoptionally deleted. The copy destinations for the first hop (or in thecase of N hops, the destinations for the first N-1 hops) are generatedrandomly or quasi-randomly. Indeed, if updates are also being sent forthe message (FIG. 9), then the first hop (or first N-1 hops) taken bythe updates 1000 will generally not follow the same node-to-node pathsas the paths that were taken by the message 400 copies. In someembodiments, this flurry of apparently randomly addressed updatetransmissions includes decoy updates which do not contain updateinformation, but exist instead to provide cover for the actual updates1000.

The destination address for the last hop is generated or selected usingauthentication information 512 and a message copy index. The messagecopy index distinguishes at least some copies of a given message 400from other copies of the message 400 that are being stored by thesystem. In the simplest case, the index is just increasing integers,identifying copy 1, copy 2, . . . , copy k of the given message 400. Butthe message copy index may also follow a sequence other than 1, 2, 3, .. . , such as counting by sevens, or using the Fibonacci sequence 1, 1,2, 3, 5, 8, . . .

As a result, all message 400 copies are ultimately sent to destinationnodes that can be identified if one has the authentication information512 and knows how message copy index values are assigned. Even ifupdates 1000 take different paths than the message 400 copies theytarget, the updates and the copies ultimately arrive at the samedestinations. In a variation, updates 1000 are also sent to locationsthat do not hold a message 400 copy, but every location holding amessage 400 copy also receives at least one update 1000.

Sending out messages 400 and updates 1000 along paths having one or morerandom hops at the beginning of the path makes it more difficult tolocate all copies of a message 400 by simply monitoring transmissionsfrom the message accepting node and/or monitoring updates 1000 sent bythe information provider from any given node. Knowing the initialdestination of the message 400 copies and the updates 1000 does not helpthe eavesdropper determine the present location of the message 400copies.

Example Message Update Formats

FIG. 10 illustrates formats for message updates 1000 which are producedby the message update accepting step 208. As with the message formatsshown in FIGS. 4 and 5, some of the components shown are optional insome embodiments, and components may also appear in different orders.Updates 1000 may also include components not shown in FIG. 10. Inparticular, some message updates 1000 include address lists, travelingprogram code and/or data similar to the component 500, and/orinstructions for a message 400 to change its security approach bychanging file disguises or changing between poised and roving storage,for instance.

In the illustrated embodiment, one or more digital signatures 1002 areprovided to allow message 400 copies or associated “hidden choir”software to detect tampering with message updates 1000 and thus avoidrelying on fraudulent updates 1000. The digital signature(s) 1002 mayalso be used to authenticate the update 1000 to the message 400 copies.As with the digital signatures 402 in messages 400, the digitalsignatures 1002 in updates 1000 may be generated by the inventivesystem, by the provider of the sensitive information, or both, and mayvary in nature and scope between embodiments.

A message update 1000 provides one or more of the following functions:preventing message disclosure, triggering message disclosure, triggeringmessage deletion, and instructing the message copies to change theirsecurity approach. An embodiment need not support all of thesefunctions.

To prevent message disclosure in an embodiment which uses a “deadmanswitch” approach, a secrecy renewal 1004 may be included in updates 1000that are sent to at least the same locations as the messages 400. Adigitally signed timestamp or other tool analogous to those familiar inthe art is used to prevent replay attacks in the form of unauthorizedrepetition of an earlier secrecy renewal in lace of a missing renewal.If authentic, the secrecy renewal in effect tells the message 400 orassociated software that “your creator is still healthy and does notwish the sensitive information to be disclosed yet.” Conversely,messages 400 may be configured with a reverse deadman switch, so thatdisclosure happens only if an authentic disclosure trigger 1006 isreceived by the message 400.

As noted, capabilities involving disclosure conditions and deletionconditions are somewhat similar, so a deletion trigger 1008 may also beused in some embodiments. On the other hand, an embodiment may alsosupport “uncancelable” messages, in the sense that a message 400 whichhas been accepted cannot later be withdrawn even if the user whoprovided the information to the system wishes to cancel the message andprevent disclosure. This is accomplished by ignoring deletion triggers1008 and deletion conditions 412, or by not supporting them at all. Thisprovides a safeguard against message cancellation under duress.

In one embodiment, an option to delete a message 400 is apparentlypresented to the information provider. However, in accordance with acondition previously specified by the information provider, invoking theoption will actually result in an emergency action, such as an email forhelp or a disclosure of selected information, rather than deletionwithout disclosure. Thus, an information provider who is under duressmay secretly call for help or take other action that would not bepermitted if performed openly.

Message Update Storage

The same tools and techniques discussed in connection with storage ofroving messages 400 and poised messages 400 may be used forcorresponding updates 1000 to such messages 400. In addition, or as analternative, a system may use searching updates 1000 which do not followthe path of a message 400 copy and cannot determine the path taken by agiven message 400. These searching updates 1000 are not targeted at aspecific message 400 copy, but instead traverse the network 100searching for corresponding message 400 copies.

When a message 400 copy is found, the searching update 1000 acts on thecopy, subject to authentication. If the conditions for disclosure ordeletion are met, for instance, the searching update 1000 and/or message400 copy perform the triggered action; if not, the searching update 1000moves on to the next node, checks for a message 400 copy, and so on. Thesearching update 1000 may be implemented using robots, agents, crawlers,or other traveling software tasks that roam the network. The traversalmethod used by the searching update 1000 should eventually lead it toevery location that might harbor a message 400 copy. This may beaccomplished using the teachings herein in conjunction with familiargraph search algorithms, for instance.

If the number of locations to search is large, the traversal may takeconsiderable time, so searching updates 1000 are not necessarily thebest choice when time is of the essence. However, searching updates 1000may advantageously make it more difficult to follow an update 1000directly to a message 400 copy and thereby reduce the risk ofunauthorized actions.

In a manner similar to traversal by a searching update, an unauthorizedsearch-and-destroy program could roam the network 100 trying to locatemessage 400 copies. Accordingly, message 400 copies should be namedobscurely and/or be located in obscure places (or in obvious places infile disguised form) so that even if their network node address isknown, their existence is not necessarily revealed. Then asearch-and-destroy attacker will not necessarily be able to locate themessage 400 copies themselves even if the attacker uses the sametraversal methods as searching updates 1000 to locate nodes likely tocontain message 400 copies.

Tools and techniques used by viruses, worms, Trojan horse programs andthe like may be adapted to disguise message 400 copies. In addition,when encrypting a message 400, the message 400 may be reformatted in theguise of a *.c, *.h, *.cpp, *.hpp, *.asm, *.ini, *.DLL, OLE, COM, Java,or other software component or file of a type commonly found on thenetwork 100. Such file disguises include using the appropriate file nameextension and other naming conventions for the file type chosen, and mayalso involve providing the expected internal syntax for the file'scontents; hidden information can be placed in a source code filecomment, for instance, or in executable code file data sections. Unlessa search-and-destroy program is prepared to test both the syntax and thesemantics of each file it encounters (and even then risk erroneouslydeleting a file which is not a message 400), disguising the message 400copies in this manner will substantially reduce the risk of theirunauthorized removal or disclosure.

Of course, the message update 1000 (whether a searching update orotherwise) must be able to identify message 400 copies, so any messageupdate 1000 should be made difficult to capture and difficult to reverseengineer. Capture of a message update 1000 can be made difficult byusing a small number of such updates 1000 and by drawing on tools andtechniques used by viruses and the like. Message update 1000 reverseengineering can be made difficult by using self-modifying code, time-outloops that detect delays caused by debugger traps and then scramblememory, and other techniques.

In some embodiments, the updates 1000 are sent only to nodes that shouldalso contain a message 400 corresponding to the update 1000. In suchcases, it may happen that the expected message 400 is not there. Thisunexpected omission can be ignored, or it can be reported to a trustedadministrator and/or to the information provider.

It may also happen that the update 1000 finds the message 400 at theexpected location but a digital signature comparison reveals tamperingwith the message 400 and/or the update 1000. In such cases, the systemmay take various actions, according to previously programmed defaults oroptions specified when the message 400 was stored. For instance,software may raise an alarm by notifying the information provider and/orsome other party, or it may disclose the message 400 information earlierthan it otherwise would have done.

Additional Message and Update Transmission Considerations

Computers in the system may in general be either servers 102, clients104, or a mixture of servers and clients. Methods of passing messages400 and updates 1000 may vary according to whether the sender andtransmitter are server or client or a mixture. For instance, agents orservlets or other tasks may be transmitted more readily in someinstances while files which are not executable are more readilytransmitted in others.

Although the messages 400 and updates 1000 may be implemented usingagents, crawlers, servlets, or various forms of traveling program, thetransmittals 400, 1000 need not include executable code in every systemaccording to the invention. Some embodiments transmit primarilynon-executable messages 400 and updates 1000, while others transmit onlynon-executable messages 400 and updates 1000. In such embodiments, atask or agent or other local “hidden choir” software resides on eachnode and performs one or more of the functions discussed above, namely,receiving messages and updates, transmitting messages and/or updates toother nodes, testing disclosure and/or deletion conditions, and carryingout disclosure and/or deletion as indicated.

The local software may be dispersed through the network 100 nodes on anas-need, autonomous basis, that is, without any node knowing thelocation of every piece of the inventive software. This dispersal may beaccomplished in a manner similar to dispersal of executable messages 400or updates 1000 discussed above in connection with roving messages.

The local software may also be dispersed through the nodes in acentrally managed way, so that a central contract index or other listidentifies all nodes (or at least all local networks) which havesoftware in place to receive and manage messages 400 and updates 1000.Naturally, the existence of such a list poses a threat to the continuedsurvival of messages 400 and updates 1000. However, the threat can bereduced by protecting the confidentiality of the list (both itsexistence and its contents); by making the list of nodes numerous andvaried as to platform, entity, and security requirements; by seeding thelist with nodes containing tracking software that reports attemptedoperations to a trusted administrator; by using only a subset of thelisted nodes for any given message, thereby raising the cost ofunauthorized access attempts forcing any infiltration to attack nodesthat contain no messages; and perhaps by other precautions as well.

Summary

In summary, the present invention provides a novel system and method forcontrolling the disclosure of sensitive information. Copies of theinformation are hidden throughout a network. Disclosure of theinformation may be triggered when an expected secrecy renewal does notarrive, indicating that the information provider is in trouble and/orwishes the previously safeguarded information to be released. Disclosuremay also be delayed, perhaps indefinitely, unless expressly triggered bythe information provider or another authorized user. In short,information is kept secret until specified conditions are met and isthen disclosed in a specified manner.

The Figures show a particular order and grouping for method steps of theinvention. However, those of skill will appreciate that the stepsillustrated and discussed in this document may be performed in variousorders, including concurrently, except in those cases in which theresults of one step are required as input to another step. Likewise,steps may be omitted unless called for in the claims, regardless ofwhether they are expressly described as optional here. Steps may also berepeated, or combined, or named differently. Both headings andreferences to discussions of a given topic elsewhere in the applicationare for convenience only.

Although particular methods embodying the present invention areexpressly illustrated and described herein, it will be appreciated thatapparatus, signal, and article embodiments may be formed according tomethods of the present invention. For instance, discussion of themessage formats 400 illustrates method steps, message signals, andcomputing systems configured with inventive software to read and writesuch formats. Unless otherwise expressly indicated, the descriptionherein of methods of the present invention therefore extends tocorresponding apparatus, signals, and articles, and the description ofapparatus, signals, and articles of the present invention extendslikewise to corresponding methods.

Although reference is made to software and/or hardware and/or systems,it will be appreciated that the inventive functionality may be providedby various combinations of one or more of the following: compiledsoftware, interpretable code such as byte codes, fully linked executablecode, dynamically loaded libraries, COM or OLE or Java or othercomponents, firmware, microcode, ASICs, PALs, RAM, processors,environment variables, command line parameters, initialization orconfiguration files, and other software and hardware components, tools,and techniques known in the arts.

The invention may be embodied in other specific forms without departingfrom its essential characteristics. The described embodiments are to beconsidered in all respects only as illustrative and not restrictive. Anyexplanations provided herein of the scientific principles employed inthe present invention are illustrative only. The scope of the inventionis, therefore, indicated by the appended claims rather than by theforegoing description. All changes which come within the meaning andrange of equivalency of the claims are to be embraced within theirscope.

What is claimed and desired to be secured by patent is:
 1. A methodexecuted by computer(s) for controlling disclosure of sensitiveinformation provided by an information provider, comprising the stepsof: obtaining at least one disclosure condition; hiding copies of thesensitive information in a network; checking at least once foroccurrence of the disclosure condition; and if occurrence of thedisclosure condition is detected then disclosing at least a portion ofthe sensitive information.
 2. The method of claim 1, wherein thesensitive information is hidden by encryption.
 3. The method of claim 1,wherein the sensitive information is hidden by a file disguise.
 4. Themethod of claim 1, wherein the hiding step hides at least ten copies ofthe sensitive information.
 5. The method of claim 1, wherein the hidingstep hides at least one hundred copies of the sensitive information. 6.The method of claim 1, wherein the hiding step hides at least onethousand copies of the sensitive information.
 7. The method of claim 1,wherein the hiding step creates at least one roving message copy.
 8. Themethod of claim 1, wherein the hiding step creates at least one poisedmessage copy.
 9. The method of claim 1, further comprising the steps of:obtaining at least one deletion condition; checking at least once foroccurrence of the deletion condition; and if occurrence of the deletioncondition is detected then deleting at least a portion of the sensitiveinformation.
 10. The method of claim 9, wherein cancellation by theinformation provider is a deletion condition, and the user requests suchcancellation.
 11. The method of claim 1, further comprising the steps ofaccepting a message update and storing the message update.
 12. Themethod of claim 11, wherein the message update is a searching updatewhich is not directed at a particular copy of the corresponding messageto be updated.
 13. The method of claim 11, wherein the message update isdirected at a particular copy of a corresponding roving message to beupdated.
 14. The method of claim 11, wherein the message update isdirected at a particular copy of a corresponding poised message to beupdated.
 15. The method of claim 11, wherein at least a portion of thesensitive information is disclosed using at least one destinationspecified by the information provider.
 16. The method of claim 15,wherein a region destination was specified by the information providerand disclosure includes disclosure in that region.
 17. The method ofclaim 15, wherein a deadman switch disclosure condition was specified bythe information provider and disclosure is triggered by that condition.18. The method of claim 1, wherein at least a portion of the sensitiveinformation is disclosed using at least one format specified by theinformation provider.
 19. A computer storage medium having aconfiguration that represents data and instructions which will cause atleast a portion of a computer system to perform method steps forcontrolled message disclosure, the method steps comprising the steps of:obtaining at least one disclosure condition; storing copies of a messagein a network; checking for occurrence of the disclosure condition; andif occurrence of the disclosure condition is detected then disclosing atleast a portion of the message.
 20. The storage medium of claim 19,wherein the storing step comprises placing a copy of the message in afile disguise.
 21. The storage medium of claim 19, wherein the storingstep stores at least one thousand copies of the message.
 22. The storagemedium of claim 19, wherein the storing step stores at least one rovingmessage copy.
 23. The storage medium of claim 19, wherein the storingstep stores at least one poised message copy.
 24. The storage medium ofclaim 19, wherein the method further comprises the steps of: obtainingat least one deletion condition; checking for occurrence of the deletioncondition; and if occurrence of the deletion condition is detected thenlocating copies of the message and deleting all located copies of themessage.
 25. The storage medium of claim 19, wherein the method furthercomprises the steps of accepting a message update and storing themessage update.
 26. The storage medium of claim 19, wherein at least aportion of the message is disclosed to at least one destination.
 27. Thestorage medium of claim 26, wherein disclosure includes sending a copyof at least a sensitive information component of the message to an emaildestination.